You can sign commits and tags locally, so other people can verify that your work comes from a trusted source. If a commit or tag has a GPG or S/MIME signature that is cryptographically verifiable, GitHub marks the commit or tag as verified.

If a commit or tag has a signature that cannot be verified, GitHub marks the commit or tag as unverified.

Repository administrators can enforce required commit signing on a branch to block all commits that are not signed and verified. For more information, see "About required commit signing."

GitHub will automatically sign commits you make using the GitHub web interface using GPG. These commits will have a verified status on GitHub. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg.

You can use S/MIME to sign commits with an X.509 key issued by your organization.

GitHub uses the Debian ca-certificates package, the same trust store used by Mozilla browsers, to confirm that your locally signed commits and tags are cryptographically verifiable against a public key in a trusted root certificate.

Note: S/MIME signature verification is available in Git 2.19 or later. To update your version of Git, see the Git website.

To sign commits using S/MIME and have those commits verified on GitHub, follow these steps: